The Bottom Line
- California may have been the first to enact a comprehensive privacy law, but Nevada will be the first new law to become effective and will certainly not be the last.
- As evidenced by the updated Nevada law and the proposed New York law, companies may have to comply with inconsistent and perhaps conflicting standards.
- In order to stay abreast of these many developments, companies need to develop compliance programs with these existing and pending laws in mind.
With approximately six months remaining before the California Consumer Privacy Act (CCPA) comes into effect, businesses that operate a website or an online service now have another privacy law that they need to consider. More specifically, the State of Nevada passed Senate Bill 220 (SB 220), which updates the state’s existing privacy laws to provide Nevada residents with more control around the sale of their personally identifiable information to third parties.
SB 220 goes into effect on October 1, 2019, so covered businesses only have a few months to prepare for compliance. The silver lining, however, is that SB 220 is much narrower than the CCPA and does not provide the same breadth of rights, such as the right to access or deletion, or any private right of action.
Existing Nevada Law
Current Nevada law requires website and online service operators to provide notice of the operator’s collection, use and disclosure practices relating to “Covered Information.” This includes name, contact information (i.e., email address, street address and phone number), social security number, identifiers that can be used to contact an individual either physically or online and any other information collected from a person in combination with an identifier that makes the information personally identifiable.
Overview of Senate Bill 220
SB 220 adds to the current Nevada law and will require website and online service operators to provide Nevada residents with a right to opt-out of the “sale” of Covered Information collected online. In particular, operators will need to establish a “designated request address” — that is, an email address, toll-free telephone number or website — through which a consumer may submit a verified request directing the operator not to make any sale of Covered Information collected or to be collected about the consumer.
Further, the law only applies to “verified requests,” meaning the operator can reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means. The operator must respond to a verified request within 60 days after receiving the request, although that period can be extended for an additional 30 days with notice to the consumer, if the operator determines that such an extension is reasonably necessary.
The update does not add a private right of action against operators. Nevada’s Attorney General, however, is empowered to seek an injunction or a civil penalty — up to $5,000 for each violation — against an operator who does not establish a designated request address or who sells consumer information in violation of the law.
SB 220 also amends the definition of “operator” to exclude financial institutions subject to the Gramm-Leach-Bliley Act, entities subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and certain motor vehicle manufacturers and entities that repair motor vehicles.
Comparisons to CCPA
SB 220 defines “sale” to mean the exchange of Covered Information collected online for monetary consideration by the operator to a person, for the person to license or sell the Covered Information to additional persons. Notably, this definition aligns with the more traditional understanding of the word “sale” (e.g. an exchange of goods or services for money) versus the far broader definition of “sale” under the CCPA, which extends to exchanges of personal information for both monetary and “other valuable consideration.”
Another important distinction is that the Nevada law only applies to Covered Information that has been collected online, whereas the CCPA applies to a far broader definition of “personal information”, regardless of the manner in which it has been collected.
SB 220 also does not specify the manner in which notice of the opt-out right must be provided. By contrast, a business that is subject to the CCPA must include a separate “Do Not Sell My Personal Information” link on its website and in its privacy policy.
New York Privacy Act
While things continue to develop on the west coast, the east coast is gaining attention with the introduction of the New York Privacy Act (S. 5642) (NYPA), a broad new proposal that has similarities to the CCPA.
Introduced in May, the proposed law would roll out strict rules for the processing of data by companies that conduct business in New York, or produce products or services that are intentionally targeted to New York residents. The most notable provision in the NYPA in its current form is that it imposes a fiduciary-like duty on businesses, requiring them to “exercise the duty of care, loyalty and confidentiality expected of a fiduciary with respect to securing the personal data of a consumer against a privacy risk” and “act in the best interest of the consumer.”
The term “personal data” under the NYPA is a combination of the General Data Protection Regulation’s (GDPR) personal data and the CCPA’s personal information definitions. It is broadly defined and includes (among a long list) biometric information, race and ethnicity, political information, geolocation, internet or other electronic network activity (such as browsing history, search history, user generated content, interaction with advertisement, etc.) and any inferences drawn from any of the information described in the definition of personal data to create a profile about an individual. The definition excludes, however, publically available information. Any processing of personal data, which includes collection, use and transfer, requires affirmative, express and documented consent.
The bill has been referred to the New York State Senate Consumer Protection Committee and a public hearing was held in June 2019 to discuss online privacy and what role the state legislature should play in overseeing it. The committee heard from a variety of interested parties, including a co-author of the CCPA, law professors, a blockchain company representative and the Center for Democracy and Technology. One of the bigger concerns is that there is a private right of action for violations of the NYPA.